CVE-2010-2493

The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) the security_saml quickstart, (2) the webservice_proxy_security quickstart, (3) the web-console application, (4) the http-invoker application, (5) the gpd-deployer application, (6) the jbpm-console application, (7) the contract application, and (8) the uddi-console application in JBoss Enterprise SOA Platform before 5.0.2 contains GET and POST http-method elements, which allows remote attackers to bypass intended access restrictions via a crafted HTTP request.

Published: Aug 10, 2010
Updated: Apr 13, 2023
CVE: CVE-2010-2493
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-16

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
redhat / jboss_enterprise_soa_platform	4.3.0	4.3.0.x
redhat / jboss_enterprise_soa_platform	4.2.0-tp02	4.2.0-tp02.x
redhat / jboss_enterprise_soa_platform	4.3.0-cp02	4.3.0-cp02.x
redhat / jboss_enterprise_soa_platform	4.3.0-cp01	4.3.0-cp01.x
redhat / jboss_enterprise_soa_platform	4.2.0-cp05	4.2.0-cp05.x
redhat / jboss_enterprise_soa_platform	4.2.0-cp04	4.2.0-cp04.x
redhat / jboss_enterprise_soa_platform	4.3.0-cp04	4.3.0-cp04.x
redhat / jboss_enterprise_soa_platform	4.2.0-cp01	4.2.0-cp01.x
redhat / jboss_enterprise_soa_platform	4.2.0-cp03	4.2.0-cp03.x
redhat / jboss_enterprise_soa_platform	4.2.0	4.2.0.x
redhat / jboss_enterprise_soa_platform	4.3.0-cp03	4.3.0-cp03.x
redhat / jboss_enterprise_soa_platform	5.0.0	5.0.0.x
redhat / jboss_enterprise_soa_platform	-	5.0.1.x
redhat / jboss_enterprise_soa_platform	4.2.0-cp02	4.2.0-cp02.x

Vulnerability Database

289,784

CVE-2010-2493